Re: DJB's students release 44 *nix software vulnerability advisories

Stephen Samuel writes:
> crackers will have up to 8 hours to code and use your bug

It's not _my_ bug. It's also not my student's bug. It's the _program's_
bug. Sorry to have to break the news to you, but the attacker has had a
_year_ to exploit the bug if the program was released a year ago.

You're under the delusion that the bug's existence and exploitability
were created by the messenger---the bug-report publisher---rather than
by the original programmer. I realize that this is a common delusion,
one of the big excuses for inadequate security efforts; one of the
virtues of full disclosure is that it forcibly overrides the delusion.

> I'm asking for a reasonable ammount of time for a responsible
> programmer to ensure that his/her user community is properly served
> and protected from the effects of the bugs.

Same delusion: you think that users are protected from security holes if
the security holes are patched before they're announced. Sorry, but
that's not nearly fast enough. Protecting the users means making the
programs secure before they're deployed in the first place.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago